Purpose of a group firewall rulex

Hey,

Firewall groups are given for the admin's convenience as admins can group the rules for a similar purpose or source or destination etc.. 

XG follows a top-down approach when it comes to matching the traffic against the firewall rules. Firewall rules added in the group don't have any influence over the ones which aren’t. 

Whichever rule is matched first (from top to bottom) will be applicable for that specific traffic.

Hello,

I understood the top-down principle, only not in connection with the group and the rule within it.

Could you please explain it differently again?

Your Rules have no Traffic counter. You see 0 Bytes, this means, this firewall does not hit. You need to check why those rules are not hitting. 

Firewall rules only apply on Source, Destination and service. In terms of User based firewall rules, the source is replaced with the user information of live user. 

Hi,

yes I also saw that a lot of my rules show no traffic. That surprises me too, that's why I fight for it all the time.

Unfortunately I don't understand where the problem can be.

I didn't quite understand what would happen if.

Ok, so as soon as I apply a live user, the source is replaced. That means, he already knows exactly which one he comes from.

But what can be wrong there? I also tried to determine the problem via the live protocol, but it doesn't quite work for me when the protocol was just to get an understanding of it.

Yes, now I am at a loss. !!!

Show me your Liveusers in current activities. 

Try to switch the zone to ANY zone. Check the Services, move to ANY services, check if it will apply generally speaking to the source without a service. 

Likely its a matter of matching (Service or Zone or live user). 

Hi,

So I showed the firewall rule. In it you can see the groups of clientless users that should normally be used.

In the "IoT ESP" group, you can also see e.g. the two controllers 001/002 that are inserted there in the group.

I then carried out a firmware update on one of the controllers via the web server from the client and it received the firmware update, although the rule is active and the IoT ESP group is stored for the user.

The rule itself does not show any traffic that has passed over it.

Are the screenshots enough for you?

greeting

Show us the DHCP Mapping. 

The IP 172.16.100.17 that is the controller2. Controller1 is below, so I didn't include it in the screenshot.

I checked the MAC addresses, the client address is also correct, I was on the web server with the IP address and can also see the client's MAC address. It should be the right client.

Check your Zone.

In Firewall you used Zone WIFI, the DHCP Server is Zone LAN. Change the Zone to LAN. 

Zones are still a filter, which will be used to match. 

Hi,

the source and destination networks are the same, do you have a hairpin NAT for this rule?

Also your SIP rule looks a little odd.

Ia

ok, thats it. That was the problem. I have changed the zone from sorufe Wifi to source LAN.

Ok why is that so. My thought was completely wrong. I thought, because there are WiFi devices, I also have to turn on the WiFi zone. What nonsense of me.

It remains physically but everything on LAN level and the zones are only to be filtered in advance for the services.

Is my statement correct ??? If not please correct.

ok, thats it. That was the problem. I have changed the zone from sorufe Wifi to source LAN.

Ok why is that so. My thought was completely wrong. I thought, because there are WiFi devices, I also have to turn on the WiFi zone. What nonsense of me.

It remains physically but everything on LAN level and the zones are only to be filtered in advance for the services.

Is my statement correct ??? If not please correct.

Zones are in principle defined by the interface. Each and every interface has to be mapped to a Zone. If you create a physical or logical interface, the firewall ask you "what zone is this?". This is to be easily able to create firewall rules.

As you can define a interface as LAN (192.168.1.0/24), you can create a firewall rule LAN to WAN, which cover LAN (All interfaces in LAN Zone) to all Internet based Interfaces (WAN). It removes the need of defining network objects for each interface or knowing the IPs etc. 

Mhhh, sorry that I asked stupid. Network technology is not easy.

But that doesn't replace the NAT rule, does it?

Unfortunately, I didn't quite understand that. Sorry :-)

XG is a Zone based Firewall. Zones are not in any relation to NAT. 

zones are like the predefined network objects, you know of UTM9. UTM9 creates 3 objects per Interface, you create. Zones are like that just with a summary option. You can have per interface one individual zone. Or you can include 4000 Interfaces within one zone. There are pre defined zones like LAN or WIFI. But one interface can only be in one Zone. It does not separate the clients within one zone. It simply categorize the interfaces into zones. 

Ok, I'll try to remember that.

It looks kind of strange to me the zone principle.

It looks to me that only pre-defined services are possible in this zone.

Somehow I don't get along with the zone principle.

Is one set up a new thread.

Thank you very much for the great support, but always remember that the user-friendliness in the XG still needs to be improved, in my opinion :-), but that's another topic.

Thank you again for the good support from you. I've learned a little about it.

Greetings and thanks

The point is: Zone, user based firewall etc. is not invented by Sophos. It is a concept of next generation firewalls. Other vendors do the same. So its not about user friendliness, more likely your background with other products. Somebody coming from UTM (stateful firewall with attached modules) can get confused about this kind of interaction, but luckly, XG can do the same like UTM, if you want.